Re: Bug, possible hole in nslookup, various operating systems

[SSecurity <dave.mclaughlin () site-security net>]

Just a couple that I tested...

Slackware 7.1.0
Linux slackware 2.2.17 #2
bash-2.04$ nslookup
Default Server:  proxy1.corlis1.pa.home.com
Address:  24.1.40.33

> fatal flex scanner internal error--end of buffer missed
bash-2.04$

___________

FreeBSD 2.2.7-STABLE

bash-2.01$ nslookup
Default Server:  ns1.xxxxxxx.net
Address:  199.xxx.xx.10

> ^C
> ^C
> ^C
> ^C
> ^C


Dave McLaughlin
security () justshow com



On Fri, 15 Dec 2000 11:23:16 -0600, Gunnar Wolf said:

> Hello,
>
>  I found a strange behavior in the nslookup command, and was able to
>  reproduce it in several different platforms. I do not have deep knowledge
>  of the inner working of nslookup, but the message I got seemed a bit
>  suspicious, and I decided to report it before someone can find a way to
>  exploit it.
>
>  What I am doing is very simple - too simple, maybe. I run nslookup in
>  interactive mode, and send ^C while it is waiting for my text. This leads
>  to this error:
>
>  ---------------------------------------------------------
>  SOLARIS:
>  ---------------------------------------------------------
>  [gwolf@solaris gwolf]$ /usr/sbin/nslookup=20
>  Default Server:  dns1.unam.mx
>  Address:  132.248.204.1
>
>  > asd^C
>  > fatal flex scanner internal error--end of buffer missed
>
>  ---------------------------------------------------------
>  LINUX:
>  ---------------------------------------------------------
>  [gwolf@linux gwolf]$ nslookup=20
>  Default Server:  dns1.unam.mx
>  Address:  132.248.204.1
>
>  > asd
>  > fatal flex scanner internal error--end of buffer missed
>
>  ---------------------------------------------------------
>  IRIX:
>  ---------------------------------------------------------
>  Yes_Master: nslookup
>
>  Default Server:  dns1.unam.mx
>  Address:  132.248.204.1
>  >
>  > fatal flex scanner internal error--end of buffer missed
>
>  I think that when a ^C is recieved, nslookup is passing a non-terminated
>  string - a string without the ASCII 0 character marking the end of the
>  string. The flex lexical analyzer detects this and, fortunately, complains
>  out loud... However, there can be a way to lead from here to a compromise
>  situation.
>
>  I tried to run this in OpenBSD and in Digital UNIX, and:
>
>  ---------------------------------------------------------
>  OPENBSD
>  ---------------------------------------------------------
>  [gwolf@openbsd gwolf]$ nslookup=20
>  Default Server:  dns1.unam.mx
>  Address:  132.248.204.1
>
>  > ^C
>  > ^C
>  >=20
>  ---------------------------------------------------------
>  DIGITAL
>  ---------------------------------------------------------
>  digital> nslookup=20
>  Default Server:  dns1.unam.mx
>  Address:  132.248.204.1
>
>  >
>  >
>  ---------------------------------------------------------
>
>  The operating systems and versions I tested this on are:
>
>  VULNERABLE:
>  RedHat Linux 6.1 for Alpha and i386 (kernel 2.2.16)
>  Solaris 7 for Sparc
>  Irix athos 6.2
>
>  NOT VULNERABLE:
>  OpenBSD 2.7 for Sparc and i386
>  OpenBSD 2.8 for i386
>  Digital Unix V4.0C
>
>  -------------------------------------------------------------------
>             Gunnar Wolf    gwolf () campus iztacala unam mx
>       Universidad Nacional Aut=F3noma de M=E9xico, Campus Iztacala
>     Jefatura de Secci=F3n de Desarrollo y Admon. de Sistemas en Red
>         Departamento de Seguridad en Computo - DGSCA - UNAM
>  -------------------------------------------------------------------